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Method for providing user access control within a distributed data processing system by the 
exchange of access control profiles. 



A method is disclosed for providing user access control for a plurality of resource objects within a 
distributed data processing system having a plurality of resource managers* A reference monitor service 
is established and a plurality of access control profiles are stored therein. Thereafter, selected access 
control profiles are exchanged between the reference monitor service and a resource manager in 
response to an attempted access (82) of a particular resource object controlled by that resource 
manager. The resource manager may then control access to the resource object by utilizing the 
exchanged access control profile (86-98). In a preferred embodiment of the present invention, each 
access control profile may Include access control information relating to a selected user; a selected 
resource object; a selected group of user; a selected set of resource objects ; or, a predetermined set 
of resource objects and a selected group of users. 
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METHOD FOR PROVIDING USER ACCESS CONTROL WITHIN A DISTRIBUTED DATA PROCESSING 
SYSTEM BY THE EXCHANGE OF ACCESS CONTROL PROFILES 



The present invention relates to data processing 
systems in general end in particular to improved 
methods of providing access control for a plurality of 
resource objects within a distributed data processing 
system* Still more particularly, the present invention 
relates to a system which permits the rapid and effi- 
cient interchange of access control information 
throughout a distributed data processing system. 

Security and access control systems in computer 
based data processing systems are well known in the 
prior art Existing access control systems are gener- 
ally oriented to a single host system. Such single host 
access control systems are generally utilized to pro- 
vide security for the host and access control to appli- 
cations and system resources, such as files. Each 
application must generally provide access control for 
the resources controlled by that application. 

One example of an access control system desig- 
ned for utilization with the IBM 370 system is a product 
called RACF, or Resource Assets Control Facility. 
RACF offers access control for applications, such as 
fites or CICS transactions and is hierarchically orien- 
ted in access authority levels and grouping of users. 
RACF fe a "password" oriented access control system 
and access fe granted or dented based upon a user's 
individual identity and his or her knowledge of an 
appropriate password to verify that identity. The 
RACF system is, however, oriented to a single host 
system and cannot be employed In a distributed data 
processing system which employs multiple hosts 
associated with separate groups of resource objects, 
due to the fact that this system does not allow the 
Interchange of access control information from one 
host to another. 

Another example of known access control sys- 
tems is AS/400. The AS/400 system is a capability 
based system in which security is based upon each 
individual resource objecL Each user is authorized to 
access individual resource objects based upon the 
user's capability within the system. The AS/400 sys- 
tem maintains security by keeping User Profiles, 
Object Authorfty, and System Values within the 
architecture of the machine itself. As above, this sys- 
tem is highly efficient at controlling access to resource 
objects controlled by a single host ; however, access 
to resource objects located within a distributed data 
processing system containing multiple hosts cannot 
be controlled. That Is, access to a resource object 
controlled by one host cannot be obtained by a user 
enrolled at a second host 

One other example of an access control system 
is flie DB2 product This product permits a more flexi- 
ble access control and offers granular or bundled 
access control authority. For example, the DB2 sys- 



tem may utilize special authorities for administration 
or database operations. Further, access privflege may 
be bundled into a specified authority or role so that a 
user may access specific resource objects based 
€ upon the user's title or authority level, rather than the 
user's persona! identity. However, as above, the DB2 
system does not possess the capability of exchanging 
access control information with non-DB2 applications. 
Therefore, it should be obvious thata need exists 
10 tor a method of providing access control in a distri- 
buted data processing system whereby access to 
selected resource objects may be controlled through- 
out the distributed data processing system by means 
of the exchange of access control information 
/5 throughout the system. 

It is therefore one object of the present invention 
to provide an improved data processing system. 

It is another object of the present invention to pro- 
vide an improved method of providing access control 
20 for a plurality of resource objects within a distributed 
data processing system. 

It is yet another object of the present invention to 
provide an improved method of providing access con- 
trol for a plurality cf resource objects within a distre- 
ss buted data processing system which permits the rapid 
and efficient Interchange of access control infor- 
mation throughout a distributed data processing sys- 
tem. 

The foregoing objects are achieved as Is now 

so described. The method of the present invention may 
be utilised to provide user access control for a plurality 
of resource objects within a distributed data proces- 
sing system having a plurality of resource managers. 
A reference monitor service Is established and^ a 

35 plurality of access control profiles are stored therein. 
Thereafter, selected access control profiles are 
exchanged between the reference monitor service 
and a resource manager in response to an attempted 
access of a particular resource object controlled by 

40 that resource manager. The resource manager may 
then control access to the resource object by utilizing 
the exchanged access control profile. In a preferred 
embodiment of the present invention, each access 
control profile may Include ac ces s control information 

4s relating to a selected user; a selected resource 
object ; a selected group of users ; a selected set of 
resource objects ; or, a predetermined set of resource 
objects and a selected flst of users each authorized to 
access at least a portion of said predetermined set of 

50 resource objects. 

The novel features believed characteristic of the 
invention are setlbrth In the appended dalrns, The 
invention teelf however, as well as a preferred mode 
of use, further objects and advantages thereof, will 
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best be understood by reference to tfte following 
detailed description of an illustrative embodiment 
when read In conjunction with the accompanying s 
drawings, wherein : 

Figure 1 depicts a pictorial representation of a dis- 
tributed data processing system which may be 
utilized to implement the method of the present 
invention ; 10 
Figure 2 depicts in block diagram form the access 
control system utilized with the method of the pre- 
sent invention ; 

Figure 3 Is a high level flow chart depicting the 
establishment of an access control system in *t$ 
accordance with the method of the present Inven- 
tion; and 

Figure 4 is a high favet flow chart depicting access 
to a resource object in accordance with the 
method of the present invention. 20 
With reference now to the figures, and in particu- 
lar with reference to Figure 1 r there is depicted a pic- 
torial representation of a data processing system 6 
which may be utilized to implement the method of the 
present invention. As may be seen, data processing as 
system 8 may include a plurality of networks, such as 
Local Area Networks (LAN) 10 and 32. each of which 
preferably includes a plurality of individual computers 
1 2 and 30, respectively. Of course, those skilled in the 
art wiR appreciate that a plurality of Interactive Work 30 
Stations (IW5) coupled to a host processor may be 
utilized for each such network. 

As is common in such data processing systems, 
each individual computer may be coupled to a storage 
device 14 and/or a printer/output device 16. One or 35 
more such storage devices 14 may be utilized, in 
accordance with the method of the present invention, 
to store applications or resource objects which may 
be periodically accessed by any user within data pro- 
cessing system a In a manner well known in the prior 40 
ait each such application or resource object stored 
within a storage device 14 is associated with a 
Resource Manager, which is responsible for maintain- 
ing and updating ail resource objects associated 
therewith* j 5 

Stat referring to Figure 1 1 it may be seen that data 
processing network 8 may also include multiple main 
frame computers, such as main frame computer 18 f 
which may be preferably coupled fa Local Area Net- 
work (LAN) 10 by means of c^mmunicatians link 22- so 
Main frame computer 18 may also be coupled to a 
storage device 20 which may serve as remote storage 
for Local Area Network (LAM) 10 . Shnilady, Local 
Area Network (LAN) 1 0 may be coupled via communi- 
cations link 24 through a subsystem control 55 
unit/communications controller 26 and communi- 
cations link 34 to a gateway server 28, Gateway ser- 
ver 28 is preferably an Individual computer or 
InteracSve Workstation (!WS) which serves to link 
Local Area Network (LAN) 32 to Local Area Network 



(LAN) 10. 

As discussed above with respect to Local Area 
Network (LAN) 32 and Locat Area Network (LAN) 1 0, 
resource objects may be stored within storage device 
20 and controlled by main frame computer 18, as 
resource manager for the resource objects thus 
stored. Of course, those skilled In the art will 
appreciate that main frame computer 18 may be 
located a great geographic distance from Local Area 
Network (LAN) 10 and similarly Local Area Network 
(LAN) 10 may be located a substantial distance from 
Local Area Network (LAN) 32. That is. Local Area Net- 
work (LAN) 32 may be located in California while 
Local Area Network (LAN) 10 may be located within 
Texas and main frame computer 18 may be located 
in New York. 

In known prior art systems of this type, should the 
user of an individual computer 30 desire to access a 
resource object stored within storage device 20* 
associated with main frame computer 18, it will be 
necessary for the user of computer 30 to be enrolled 
within the security system of main frame computer 18. 
This is necessary in orderforthe userof computer 30 
to present the proper password to obtain access to the 
desired resource objecL Of course, those skilled in 
the art will appreciate that this technique will prove 
ungainly in distributed data processing systems, such 
as data processing system s depicted Within Figure 1. 

Referring now to Figure 2, there is depicted in 
block diagram form the access control system which 
is utflczed with the method of the present invention. As 
is depicfec^ Local Area Networks (LAN) 10 and 32 are 
illustrated by dashed lines as is main frame computer 
18. In each instance resource objects 42* 48 and 54 
are illustrated in association with each portion of dis- 
tributed data processing system 8 of Figure 1. Of 
course, each object thus Illustrated will be stored 
within one or mora storage devices associated with 
each portion of data processing system 8. As is fllus- 
frated. Local Area Network 10 includes a resource 
manager 40 which may be one or more individual 
computers which are utilized to manage selected 
resource objects. Also established within Local Area 
Network 10 is a Reference Monitor 44. Reference 
Monitor 44* in accordance with the method of the pre- 
sent invention, is an application or service which is 
utilized to store access control profiles which may 
include access control information relating to r selec- 
ted users ; selected resource objects ; a selected 
group of users ; a selected set of resource objects ; 
or, a predetermined set of resource objects and a 
selected list of users, each authorized to access at 
least a portion of said predetermined set of resource 
objects* 

Still referring to Figure 2, ft may be seen that 
within Local Area Network (LAN) 33 a resource man- 
ager 46 is Uustrated, which is utilized, in a manner 
well known fn the art, to control access to resource 
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abject 48. Similarly, a Reference Monitor 50 is 
established within Local Area Network (LAN) 32, 
Reference Monitor 50 is, as described above, prefer- s 
ably utilized to store access control profiles relating to 
individual users within Local Area Network 32 as well 
as resource objects stored within Local Area Network 
32. 

Finally, main frame computer 1 8 is illustrated as io 
including a resource manager 32 which has 
associated therewith one or more resource objects 
64. 

In accordance with an important feature of the 
present invention, any attempted access of a is 
resource object such as resource object 42, 48 or 54 
will automatically result in a query by the associated 
resource manager to one or more Reference Monitor 
applications to determine whether or not the access 
requested will be permitted. It should be noted that, in 20 
accordance with the depicted embodiment of the pre- 
sent invention, only one Reference Monitor appli- 
cation is required for data processing system 8; 
however, two are fllustrated. In accordance with the 
method of the present invention, communications 25 
Sinks between a single Reference Monitor application 
may be established with each and every resource 
manager within data processing system 8 (see Figure 
1) so that access to selected resource objects may be 
controlled in accordance with the access control infer- $0 
(nation stored within the profiles within that Reference 
Monitor. 

In this manner, a user within Local Area Network 
(LAN) 32 may, via the communications links depicted 
within Figure 1. request access to a resource object 35 
64 associated with main frame computer 1 8, As will be 
explained in greater detail herein, resource manager 
52 will then query Reference Monitor 44 and/or Refer- 
ence Monitor 50 to determine whether or not a profile 
exists which permits the requested access* If so, the 40 
profile information is exchanged between the approp- 
riate Reference Monitor and resource manager 52 
and access to resource object 54 may be permitted. 

With reference now to Figure 3, there Is depicted 
a high level flowchart Illustrating trie establishment of 45 
an access control system in accordance with the 
method of the present invention* As is illustrated, the 
process begins at block 60 and thereafter passes to 
block 62» which depicts the defining of an access con- 
trol profile for an object or group of objects, by the so 
associated resource manager. Thereafter, block 64 
Illustrates the storing of that profile within a Reference 
Monitor application- Next block 66 Illustrates a deter- 
mination of whether or not additional objects require 
an access control profile to be established and if so. 55 
the process returns to block 62 and continues there- 
after m en iterative fashion* 

In the event no additional resource objects 
require access control proves, the process passes to 
block 68 which Illustrates the establishment by an 



associated resource: manager of an access control 
profile for one or more users within the distributed 
data processing system- Thereafter, block 70 Illus- 
trates the storing of the access control profile thus 
created in an associated Reference Monitor appli- 
cation. Block 72 next determines whether not 
additional users within the data processing system 
require access control profiles to be created. If so. as 
above, the process returns to block 88 to define the 
additional profiles. In the event no additional users 
require access control profiles, then the process ter- 
minates, as illustrated in block 74. Of course, those 
skated in the art win appreciate that in this manner ft 
wIH be possible to create various access control pro- 
files which contain access control information relating 
to a single resource object, a group of resource 
objects, an individual user, a group of users, or, a pre- 
determined set of resource objects and a selected 
group of users. 

Finally, referring to Figure 4, there is depicted a 
high level flow chart depicting access to a resource 
object in accordance with the method of the present 
invention. As ts Hlustrated, the process begins at block 
80 and thereafter passes to block 82 which Bluslrates 
the receipt by a resource manager of an access 
request for a resource object within that resource 
manager's purview. Next; the process passes to block 
84 which illustrates the query of the nearest Refer- 
ence Mentor application to determine whether or not 
an access control profile extete for the resource object 
or user in question. 

Block B6 next depicts a determination of whether 
or not the appropriate access control profile Is defined 
locally and ff so. block 88 illustrates a determination 
of whether or not access to the specific resource 
object is permitted* This determination is, as those 
skilled in the art wHi appreciate, simply a matter of 
comparing the defined access control profile with the 
parameters of the resource object and the user in 
question. Thereafter* as Illustrated In block 90, if the 
determination of block 88 so permits, access to the 
resource object is provided and the process termi- 
nates, as depicted in block 92. 

Returning to Mock 86\ in the event an access con- 
trol profile is not defined locally, then block 94 fllus- 
trates a determination of whether or not an 
appropriate access control profile is defined any- 
where within the system. If so, block 96 depicts the 
retrieval of that profile and the process then returns to 
block 88 for a determination of whether or not access 
to the selected resource object is permitted. Thereaf- 
ter, if access is permitted, the process passes to block 
90 which ftlustrates the accessing of the resource 
object and the subsequent termination of the process. 

In the event the access control profile required is 
not defined anywhere within data processing system 
8, (see Figure 1} or access to the desired resource 
object Is not permitted, as Blustrated by the deterrrU- 
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nation within block SS, then block 98 depicts the denial 
of access to the requested resource object with an 
appropriate message to the requester. 

Upon reference to the foregoing, those skilled in 
the ait wiH appreciate that by utilizing one or more 
Reference Monitor applications within a distributed 
data processing system, each containing one or more 
access control profiles relating to resource objects or 
users, it will be possible to control access to a plurality 
of resource objects located within various subsec- 
tions of a distributed data processing system, without 
requiring each individual user within the distributed 
data processing system 8 to enroll with each resource 
manager located at every point within the system. By 
permitting the rapid and efficient interchange of 
access control profiles containing access control 
information throughout the system, necessary access 
control decisions are made at a limited number Of 
locations and the process Is greatly enhanced in 
terms of efficiency. 



Claims 

1- A method of providing user access control for a 
plurality of resource objects within a distributed 
data processing system having a plurality of 
resource managers associated with said plurality 
of resource objects, said method comprising the 
steps of: 

storing a plurality of access control profles 
within a reference monitor service (64) ; 

exchanging a selected access control pro- 
file between said reference monitor service and a 
selected resource manager in response to an 
attempted access of a particular resource object 
(82): and 

utilizing said resource manager to control 
access to said particular resource object in 
accordance with said selected access control 
profile (90, 98). 

2- The method according to Claim 1 wherein selec- 
ted ones of said plurality of access control profles 
each include access control information relating 
to a selected user. 

3. The method according to Claim 1 wherein selec- 
ted ones of said plurality of access control profHes 
each Include access control information relating 
to a selected resource object 

4. The method according to Claim 1 wherein selec- 
ted ones of sakl plurality of access control profHes 
each include access control Ififonnation relating 
to a selected group of users. 

5. The method according to Claim 1 wherein selec- 



ted ones of said plurality of access control profiles 
each include access control information relating 
5 to a selected set of resource objects. 

6- The method according to Claim 1 wherein selec- 
ted ones of said plurality of access controlprofites 
each include access control information relating 
io to a predetermined set of resource objects and a 

selected list of users each authorized to access 
at least a portion of said predetermined set of 
resource objects. 

is T- A method of providing user access control for a 
plurality of resource objects within a distributed 
data processing system having a plurality of 
resource managers associated with said plurality 
of resource objects, said method comprising the 

ZQ steps of : 

establishing a reference monitor service 
within said distributed data processing system ; 

storing a plurality of access control profiles 
within said reference monitor service ; 

25 exchanging a selected access control pro- 

file between said reference monitor service and a 
selected resource manager in response to an 
attempted access of a particular resource object; 
and 

so utilizing, said resource manager to control 

access to said particular resource object in 
accordance with said selected access control 
profile. 

35 8. The method according to Claim 7 wherein selec- 
ted ones of said plurality of access control profiles 
each include access control information relating 
to a selected user. 

40 9. The method according to Claim 7 wherein selec- 
ted ones of said plurality of access control profHes 
each include access control information relating 
to a selected resource object 

45 10. The method according to Claim 7 wherein selec- 
ted ones of said plurality of access control profHes 
each include access control information relating 
to a selected group of users. 

so *1. The method according to Claim 7 wherein selec- 
ted ones of said plurality of access control profHes 
each include access control information relating 
to a selected set of resource objects. 
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@ A method is disclosed for providing user 
access control for a plurality of resource 
objects within a distributed data processing 
system having a plurality of resource managers. 
A reference monitor service is established and a 
plurality of access control profiles are stored 
therein. Thereafter, selected access control pro- 
files are exchanged between the reference 
monitor service and a resource manager in 
response to an attempted access (32) of a par- 
ticular resource object controlled by that re- 
source manager The resource manager may 
then control access to the resource object by 
utilizing the exchanged access control profile 
(86-98). In a preferred embodiment of the pre- 
sent Invention, each access control profile may 
include access control information relating to a 
selected user; a selected resource object; a 
selected group of user : a selected set of resour- 
ce objects ; or. a predetermined set of resource 
objects and a selected group of users. 




ACCESS 0£HfED ^96 



Fig. 4 



CL 
111 



Jouve, 18, rue Saint-Dane. 76001 PARIS 



6ZS-d lEO/ZZOd SOQ-JL 



226966W-68-6fr+ 



NNWaiWIZ S 3ddOHDS- NOA LWl 90-AON-M 



EP 0 442 833 A3 




European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 91 46 0002 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Citation «f 4»CU«»tt« inch indication, thai! afipropriJrtc. 



IEEE SYMPOSIUM ON SECURITY AND PRIVACY, 
April 1983 , OAKLAND, US; 
pages 39-49 

S.T.VINTER "Extended Discretionary Access 
Controls 1 

* abstract; figure 3 * 

* page 40. left column* line 27 



* page 41, left column, line 36 - 
left column, line 38 * 

* page 44 T right column, line 1 - 
left column, line 30 * 

* page 46, left column, line 39 - 
left column, line 20 * 



1 ine 
page 
page 
page 



35 
«, 
45, 
47, 



IEEE SYMPOSIUM ON SECURITY AND PRIVACY, 
April 1986 „ OAKLAND , US; 
pages 204 - 222 

D-M-NESSETT factors Affecting Distributed 
System Security 1 

* abstract; figure 3 * 

* page 207, left column, line 1 - page 
208, left column, line 33 * 

* page 217, right column, line 7 - line 57 



PR0C* SPRING JOINT COMPUTER CONF., 1972 , 
ATLANTIC CITY, US; 
pages 417 - 429 

G.S.GRAHAM ET AL 'Protection - Principles 
and Practice 1 

* figure 1 * 

* page 418, left column, line 29 - page 
419, right column, line 52 * 

* table I * 

-/»- 



s pptPCttt wrtk Kfi*K toe been «r**m up for ailcUknr 



n** ******* 

THE HAGUE 



28 October 1993 



Relevant 
to daim 



l-n 



l-il 



CLASSIHCATION OF THE 
■APPLICATION QftlXLj) 



G06F1/00 
SQ6F12/14 



TECHNICAL FIELDS 
SEAfiCftSP 



G06F 



POWELL, D 



CATEGORY OF CITED DOCUMENTS 

Y : Mfttaatufj- «!«m»t H ttxntdaM with uod« 
iocuiBcat Df Ihm state urqm 

O : ftafMttfetf* Jittdacw* 
P : Imte 



T t ihwxy we ptiadplc vaicdyisig. t*wt fewatsai 
E : arikr pttmt iMunt,^ pabfcb«4 on, «r 

D : 4c-*m£ ek«J !■ tfcc UfllestkMi 
I- - docammt tW fcx tih^Vmum 

* 1 toofcer of th« sulci palcnt full*, etntfnotin 
•oeuatc*C 



2 



622-d lEO/EZO'd SOO-i 



2269B6W-68-6H 



NNTOMIZ 9 HddOHDS- NOA 



ir-H 90-AON-VL 



EP 0 442 838 A3 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 91 48 0002 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



»f relevant pmssmg.es 



IBM TECHNICAL DISCLOSURE BULLETIN, 

vol. 32, no. 1QA , March 1990 , NEW YORK* 

US; 

page 396 

"Reference Monitor - Location of Resource 
Set Access* 

* the whole document * 



pwat Cearrfa report tuta beca 4rumm up forma cUttaF 



8 
I 



THE HAGUE 



28 October 1993 



4-6,10, 
11 



CLASSIFICATION OP TH£ 
AmJCATXON OnuCUS} 



TECHNICAL FEE3JDS 
SEARCHED (brf.GL5) 



POWELL, D 



CATEGORY OP CttCfi KXJCLlK£NT5 
X i puticnEitriy cvkvwt If tak«a ifoM 

a ; ikMikta dishorn 
r : lnten»«Uxfr rfocaa*at 



T: ttocy or priMlyK i»4<tfviaE the ferortbm 
E:culicr patmt tfocuMt, tat Mibtfct** «*, or 
aft* tie flUtftg fete 

L : Aocunmt dtotf liar etittmuAU 

A i em W mf tfcc mm pftfut bully, omsfcxUIng 



6ZS-d lEO/fZOd S00-1 22696BW-8B-6t+ 



NNVTOMIZ 7 3dd0H3S- (JOA LV-H 90-AON-fl 



